You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Google hijacked

I was recently hit with a massive malware attack that gave me a wide range of problems, including fake windows security updates. After running Malware bytes and Super-Anti Spyware, most of the problems were resolved except for one. Google and every other search engine I try are completely hijacked. Clicking on any search result will redirect various other advertisements and different websites. I was going to try system restore, but there does not appear to be any previous restore points available. I am not sure whether this is related to the malware as well. I am running Windows XP with service pack 2 installed. Thank you.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to theseinstructionsif you're unsure how to unzip a file.

If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and selectRun As Administrator.

When the program opens, click the Start Scan button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

Any objects found, will show in the Scan results - Select action for found objects and offer three options.

If an infected file is detected, the default action will be Cure...do not change it.

If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.

A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).

Copy and paste the contents of that file in your next reply.

-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to theseinstructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.-- Post back with the results of the file analysis.

Your Malwarebytes Anti-Malware log indicates you are using an older version (1.46) with with an outdated database. Please download and install the most current version (v1.50.1) from here. You may have to reboot after updating in order to overwrite any "in use" protection module files.

The database shows 6586. Last I checked it was 6616.

Update the database through the program's interface <- preferable method. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.

Vista/Windows 7 users need to run Internet Explorer/Firefox as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.[/color][/i]

Click the green button.

Read the End User License Agreement and check the box:

Check .

Click the button.

Accept any security warnings from your browser and allow the download/installation of any require files.

The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.If given the option (when threats are found), choose "Quarantine" instead of delete.

When the scan completes, push

Push , and save the file to your desktop as ESETScan.txt.

Push the button, then Finish.

Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. Check/Reset Proxy Server Settings. To do that, please refer to Steps 4-7 under the section Automated Removal Instructions for System Tool using Malwarebytes' Anti-Malware in this guide.

Alternatively, you can press the WINKEY + R keys on your keyboard or click > Run..., and in the Open dialog box, type: inetcpl.cplClick OK or press Enter. Click the Connections tab and continue following the instructions in the above guide.

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address, then you may proceed.

If using a router, disconnect from the Internet and reset your router with a strong logon/password. Many users seldom change the default username/password on the router and are prone to some types of infection. If you're not sure how to do this, refer to the owner's manual for your particular router model. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Consult these links to find out the default username and password for your router and write down that information so it is available when doing the reset: